AI-Powered CVE Analysis for WordPress Plugins

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.15.38 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to…

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file.

The BackupBliss – Backup & Migration with Free Cloud Storage plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenticated attackers to delete form entry via a forged request granted they can trick…

The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'proSol_fileUploadProcess' function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

The Solene Core plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.3.2. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive…

The Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails plugin for WordPress is vulnerable to Privilege Escalation in all versions up to 2.1.0 (exclusive). This makes it possible for authenticated attackers, with Shop Manager-level access and above, to escalate their privileges to that of an administrator.

The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields (including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Font Size', and 'Text Font Weight') in all versions up to and including 1.0.4. This is due to insufficient input sanitization (no…